Last week a furore erupted over a statement Google made about privacy – it was widely, and incorrectly, interpreted as having said that Gmail users could have no legitimate expectation of privacy.

Google was then widely re-interpreted, correctly, as not having said that.

So what happened, what did it say, and now that the mistake has been corrected is everything rosy in the garden?

On 12 August, Consumer Watchdog issued a press release warning Gmail users who care about privacy to ditch the service.

It issued its advice in response to a recently issued legal brief from Google that, in Consumer Watchdog’s eyes, showed the search giant admitting that it doesn’t care about people’s privacy.

At the root of their concern was some text taken from a motion to dismiss issued by Google in June in response to a class action lawsuit. The lawsuit claims that Gmail’s targeted advertising violates federal and state wiretapping laws.

The text taken from the motion to dismiss reads as follows (my emphasis):

Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient's ECS provider in the course of delivery. Indeed,"a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties."

The idea that Google had admitted that it didn’t respect Gmail users’ privacy hit a nerve and Consumer Watchdog’s story gained an awful lot of traction on 13 and 14 August.

The words of Consumer Watchdog’s Privacy Project director, John M. Simpson, are, unsurprisingly, a neat summary of the general tone of the coverage:

People should take them [Google] at their word; if you care about your email correspondents’ privacy don’t use Gmail

The rebuttals point out two significant errors in the global coverage thus far:

The widely reproduced offending text is not about Gmail users, it is actually referring to non-Gmail users specifically

The quote in the text is not Google opining, it is law; a quote from Smith v. Maryland, a 1979 Supreme Court ruling

One of the websites that ran the story that misinterpreted what Google said was Naked Security (story since corrected). Our mistake was #1. We implied that the text was referring to Gmail users and the article was written with that basic assumption in mind.

So, after the dust has settled and those of us who made errors have owned up, is this a case of “nothing to see here”?

Well no, I don’t think it is.

Let’s start with the basics. Just because the text isn’t about Gmail users it doesn’t mean those people are immune from Google poking around in their electronic mail.

The fact is that Gmail users sign terms and conditions that establish Google’s right to do that.

So the text that asserts Google’s legal right to read emails applies to the rest of us – people who might knowingly or unknowingly email one of the four or five hundred million people with a Gmail account.

The fact that the quote, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties”, comes from existing law does not make it OK, or an obligation, it just makes it legal.

Google may not have invented those words but it is happy to use them to defend a practice that the law in question could never have been intended to cover.

It is saying that you have no right to expect privacy when you hand over your email to 3rd parties in general (in others words whenever you send any email) because a law written before the widespread adoption of email says you don’t.

Having invoked the 3rd party doctrine Google goes on to explain that users are giving implied consent to ‘automated processing’ of any email sent from a non-Gmail account to a Gmail user.

...all users of email must necessarily expect that their emails will be subject to automated processing.

Consent is implied, by the way, by the very act of you sending an email.

That the principle of the 3rd party doctrine might not be a good fit for the internet age has not gone unnoticed in judicial circles. The Supreme Court’s own Justice Sonia Sotomayor has already questioned it in comments relating to United States v. Antoine Jones:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers.

The assertion that I am giving implied consent to ‘automated processing’ where ‘automated processing’ is undefined and therefore ‘any reproducible process Google can think of’ is the nub of what the article is about.

Personally, I do not believe that automated processing to remove spam is even remotely similar in nature to, say, automated processing to learn as much as possible about somebody from the content of emails they send. (Or more worrying still, the same as something Google might decide to automatically process emails for next week without my knowledge.)

I think the reason that this story has generated so much coverage is because it’s news to an awful lot of people, both Gmail users and non-Gmail users, that they are giving that kind of consent and because they are worried about the license that Google may be giving themselves on the back of that consent.

And because of that I think the general concerns the original story raised, and the legitimacy of those concerns based on Google’s arguments in this case, hold true despite the hyperbole and the inaccuracies in the reporting.

However it seems only fair that we leave the last word to Google and finish with its response to the original Consumer Watchdog report:

We take our users' privacy and security very seriously; recent reports claiming otherwise are simply untrue. We have built industry-leading security and privacy features into Gmail — and no matter who sends an email to a Gmail user, those protections apply.

About the author

26 comments on “Why we should still be worried about what Google said regarding Gmail privacy”

It is not just gmail invading users' privacy! My yahoo.co.uk account was entered by Yahoo at their own admission and some of my contacts deleted! That is contrary to UK law and as the account is a .co.uk one then it is reasonable to expect that it will obey UK law and not US law that is probably unenforceable in the UK.
So it appears that US based companies feel they can flout the laws of other nations in which they operate and have a significant presence physically as well as electronically. There is an ongoing argument with Google over payment (or rather non-payment) of UK taxes on income accrued in the UK. A statement purportedly attributed to Google said, in effect, that they were claiming to be above our laws! I'm not in a position to know whether that attribution and/or claim is true or not, but it is worrying none the less.

They did the same thing to me in the U.S. I got a notice a couple of days ago that any email addresses that were no longer valid or had been deleted had been removed from my contact list. I was shocked and infuriated that they had been in my contact list at all, much less deleting addresses.

I'm not so infuriated by this. Yahoo decided to delete some old users who hadn't accessed their E-mail in a long time, so that their logins would be available again to new users. If they didn't clean up your contact list, that means someone who knew the login was deleted (say someone with a mutual contact) could then sign up for that address and start writing you, appearing to be that person. Yahoo should have explained this better, but Yahoo is really bad at explaining themselves.

Yeah I saw the same popup the other day in my own account, and actually, I thought it was really good of them to do that. I had no idea I had contacts with bad addresses… and as another comment pointed out, it would have been terrible to email one of them and unintentionally send (possibly) private information to a total stranger! So, I'm glad they did that. I think it falls under the banner of a dying art called "customer service"–where you anticipate needs and meet them before I have to ask. But that's just me!
I do think all this privacy stuff is important and we need to keep looking at it, and not just assume everything is all right. But we also need to calm down, most of the time. Targeted ads are not that bad; I'd rather have that than ads for things I don't want to see.

There was a guy that told me back in 1991; don't send anything though the net that you would not publish on the front page of the local & national newspaper.

A right to privacy is not to be expected. A few years ago, I had to verify my identity with a financial institution. By the questions they asked, there is more published information out there about all of us that is downright scary. And I am not a wacko, for the most part….

I disagree profoundly with the analogy of the local & national newspaper.
When I send something in a sealed packet by Royal Mail or similar, I expect it to be delivered unopened. I have a right to expect electronic mail to be treated similarly.

It is odd, isn't it, that we treat email like snail mail, except that tampering with snail mail is a federal offense (in the US, anyway) and tampering with email is considered normal. That's a pretty big disconnect.

The disconnect is due to people replacing activity they used to handle by snail mail with e-mail, while the way it is designed, e-mail requires mail transport agents to look at and fiddle with the message headers at a minimum, and often the message body as well (to get it into the right format for the recipient). Add spam and malware filtering, tagging, etc. into the mix, and you've got a whole chain of machines looking inside the envelope to figure out how to present the contents of the e-mail.

E-mail is really a replacement for the telegraph, not for snail mail (it doesn't do well at transporting physical goods yet), except that there is usually a much longer data retention policy in place for e-mail, for the hops as well as the destination.

Does anyone know what the laws are regarding privacy of telegraph messages?

All these companies are disregarding the laws that cover privacy issues but at the end of the day it is us the users that will decide the fate of these companies by removing our accounts from them or not. I no longer use Gmail but the account is still open. Let google work it out for itself is what I say hopefully their income will drop dramatically.

And do you really trust that the company you're using for email now is any better? At least Google's under constant public scrutiny. And how much do you trust that that mail service will be there tomorrow vs. having to make a hard choice between keeping their doors open and keeping their user's mail private? https://nakedsecurity.sophos.com/2013/08/10/encryp…

This is far more of a legal issue than it is a technical of business one. Companies are doing these things because it's profitable and legal. If we don't think it's right, if we think it is a gross violation of trust, then we should work to get that made law (and hope we don't actually make it worse doing so).

Electronic mail service providers have no legitimate right to examine the contents, without a court order, as with snail mail.
The assumption that a recipient's assistant might open a snail mail letter is wrong, because if I had an assistant I would expect him or her to follow my instructions.
Only if the recipient positively instructs the assistant to open mail would I expect the contents to be examined. Even then, I would not expect my assistant to arrange for me to receive advertisements based on the contents of the mail. That would be gross abuse of his or her position.
By definition Google does not have permission to pry into messages addressed to a non-Gmail user.

If all the time and trouble that has been spent accusing/defending Google on this issue had instead been spent educating the broad masses about how to set up encrypted email, this issue would be well on its way to not even being an issue.

I'm not saying that the public key infrastructure is perfect. All I'm saying is that I find it incomprehensible that millions of people send vast quantities of all kinds of information in unencrypted messages, and then squawk about the lack of privacy in email.

In fact, that suggests an interesting question: How many NakedSecurity readers regularly use encrypted mail? Here, where the readers are obviously at least minimally aware of security, I would expect to find a higher percentage of encrypted mail users than in the population at large. But I suspect that even here the majority of users aren't encrypting their messages.

If so, I can understand why. It's an uphill battle. I've been using encryption for 15 years, and although I've managed to get my professional associates to use it, most others shrug it off as "paranoia". My reaction is, “Fine. Stay ignorant.” But it's disingenuous to grouse about Google if they're unwilling to become part of the solution.

There's a ridiculous amount of complacency when it comes to privacy online. Why do so many people throw up their hands and say, "It's no surprise to me, I don't expect privacy"?

The article here is pointing out that the very laws on which email providers operate are woefully inadequate for the Internet age, which is exactly why these abuses of personal privacy are so rampant. If the laws underpinning digital communication were stricter then the companies offering those services would have to honor privacy. Isn't that something we should be asking for? Demanding, even?

There simply should be an expectation of privacy. Comments such as, "Then use encryption technology X or proxy service Y" are valid and important to a point, but leave the onus on the end-users and not on the communicaiton providers themselves.

That is like asking someone to mail a letter but set up their own independent way of ensuring it is not opened during the delivery process rather than simply assuming that the postal service — guided by appropriate laws and ethical standards — will keep it closed.

Working through links and links on links, I've noticed something that seems to make a difference:

Smith v. Maryland was a ruling upon the use of a "pen register" (http://en.wikipedia.org/wiki/Pen_register). This is "a device or process which records or decodes routing, addressing, or signalling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication", apparently.

I don't think it can be right to apply the ruling outside the pen register context. Hence, Google can maintain a record that ginsbergce@sina.com sent a message to lotusblossom@gmail.com, but S v M gives Google no right to study the message.

I always thought it has been clear for years that google was machine-reading e-mails in order to provide relevant advertising, and thus pay for the service. Anyone who didn't realize that, is not paying attention.

The way around this, at least in the short term is widespread use of public cryptography. The problem with that can be summed up like this:

How many people do you know will take the time to set up a public key, and learn how to use it?

Now think about how many people you know who have a Facebook account and publish their personal information on the internet willingly?